Avatar

Can you hire your way to security resilience? We all seek that place where you’re able to protect all aspects of your business by anticipating and responding to threats and change, and then emerging stronger…but what role do people play in it?

The short answer is…no. Hiring alone won’t get you there.

But there are strategies to implement into your security culture that can have a big impact on both your hiring and retention practices – and that can lead to greater resilience. Like many worthy ambitions in life, a healthy security culture is not something that can be achieved without time and effort. It’s something that must be planted and grown. One thing that is under appreciated is how important consistent voices are in the ‘planting and growing’ of your culture.

I was shocked to read that the latest Cisco Security Outcomes Report addresses the crucial topic of talent when it comes to security resilience. The Security Outcomes Report, Volume 3: Achieving Security Resilience arrives with a fascinating puzzle. When asked which of the nine key security resilience outcomes were most important, just 3.8% of executives ranked recruiting and retaining talented security personnel at the top. According to the report, security leadership is far more concerned about preventing breaches (41.4%) and mitigating losses from security incidents (39.1%). Yet the most daunting outcome for organizations of all sizes is recruiting and retaining security talent and arguably the one of the most important things to success in preventing breaches and mitigating losses!

In other words, getting the right people in the door and keeping them is a key challenge for security executives, even though it ranks last as a priority. Beefing up hiring practices alone will not solve the security resilience problem – the report makes this clear – but if finding and keeping talent is your top challenge, it must be made a priority. The hidden costs of talent retention are high, and the ripple effects can impact your strategy and event implementation.

Organizations that foster strong security culture also saw a 46% increase in resilience. What colleagues and I have learned from working tirelessly to recruit and retain top talent is that the wrong security culture will not attract innovative talent. Stringent security practices and policies in the wrong places can work against you. The goal is not to lock down your enterprise at the expense of business growth and innovation.

“The goal is to strike a balance between strengthening your security posture while creating an environment in which top talent can collaborate, innovate, and thrive.”

Security professionals must strive to not be only seen as the organization of “no.” Only in achieving this will the culture be sufficiently empowered and mature.

Great. How do you do that?

As every security practitioner knows, there are no victory laps – our job changes every day and is never-ending. And every day, I challenge myself and my team to take steps to improve our culture. Here’s what we’ve learned so far.

Practice pragmatism

Preventing breaches and mitigating losses will always be top priorities for security teams but this is only possible by first understanding what makes the business run. Developing strong security culture starts with understanding where you are vulnerable and what your team needs to build resilience. This can be scary because a) security people often love security but don’t live the business priorities day-to-day and b) admitting you have weaknesses is…well…scary. You must comprehend the tools and applications your employees need to do their jobs and the security and privacy implications of each. Start by evaluating your environment to get a deeper understanding of your dependencies. Ask yourself: What is this tool? Why is it in my environment? What are the user privileges needed to keep my enterprise safe while employees do their job? Resist the natural reaction to be overly strict and tie the hands of your teams and extended enterprise. (After all, employees generally aim to get their job done and making it hard will force bad behaviors and workarounds). What are you really trying to do – check an audit box or optimize security and close the gaps in your coverage and reduce your cyber risk? Focus on nailing security basics first to better understand your team on a practical level.

Promote unity 

Security teams are given great responsibility and power to protect an enterprise, its customers, and its partners. In other words, security teams have big sticks to use when needed, but wielding that big stick should not be the default. In my experience, miserable products come from miserable experiences. Resist asking your business teams for the world. Real progress happens when cybersecurity and business teams come together with a finite set of priorities to co-design and implement programs, processes, and policies that balance cybersecurity requirements for risk management and meet the organization’s top-line priorities for customers. When this unification happens, cybersecurity practices are regularly updated to meet new threats, while enabling business transformation. Unity leads to risk visibility, a strong security culture, and conscious joint risk-taking.

Embrace transparency

Organizations whose respondents reported high communication ratings showed a 27% increase in security resilience scores over those who said their security programs lack transparency. Yet historically, security has been opaque. Too often, remediation teams are instructed to “Patch that system because I told you so.” You simply cannot grow a strong security culture without transparency, from internal stakeholders to third-party suppliers. These conversations are a two-way street. Every day I push my team – and myself – to be “bumper sticker” clear with our stakeholders. Invest the time to discuss and clearly communicate the impact of threats or vulnerabilities that can permeate risk across your company and ecosystem. Create a space where it is accepted to show where security is potentially seen as slowing the business down. Have these difficult conversations about risk and security gaps transparently.

I will close with a reminder that you are not alone. Communities are essential to our collective success. By practicing pragmatism, promoting unity, and embracing real conversations about risk, we can help each other bolster and mature our security cultures. And that makes us all more resilient.

For more on building a strong security culture, take a look at our latest infographic that breaks down 7 obstacles to security resilience and how to overcome them. 

And take a look at blogs like this from my fellow colleagues:

For more information on Cisco’s long-term commitment to building a security culture, visit our Trust Center.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Anthony Grieco

SVP & Chief Security & Trust Officer

Security and Trust Organization